Security bugs — A real case found by me (Front-end)
Chapter 1 — Front-end
Information Security is something crucial for all companies, everybody knows about that.
We also know that the amount of investment in this area is considerable for those companies, some of them take it seriously and others not as much as they should. Anyways, even taking that subject seriously, in the end, we are talking about human beings, and we all make mistakes.
The Security Bug discussed today occurred in the iCloud front-end implementation, we know Apple takes Infosec seriously as they can pay you up to 1 Million USD bounty as per the Bug bounty program, but I was able to find this interesting bug. More information about this bug can also be found on my page.
The tiny issue identified by me could allow an attacker to steal all the personal documents from a victim after sharing a SHARED_FOLDER in iCloud, understand how it works more below;
In most Cloud storage, we can find the functionality of sharing files or Directories containing files with others. The way to share that depends on you, it can be shared with one or more people, or simply turn the file public and anyone containing the file link will be able to access it.
The bug in iCloud allowed an attacker to inject Cross-Site Scripting code in the name of the folder, and it would be executed as soon as the victim clicks on the folder information icon.
In iCloud, whenever we need to edit the name or see details from the folder, it pops up a small container that is rendered in runtime.
I identified that, unlike the rest of the page, the rendering of the container allowed me to inject HTML tags along with the structure of the rendered container, and at this point, an attacker could add JavaScript code and perform requests to the API in charge of doing the CRUD in iCloud.
In the image below we have the attacker Scenario
Once the exploit is executed, the following actions occur in the victim’s iCloud without them noticing:
1 — Request iCloud API to Retrieve all the Document Ids available in the victim’s iCloud
2 — Request iCloud API to move all the Document Ids into the shared Malicious Folder
3 — Request iCloud API to delete the Malicious folder from iCloud’s victim
At this point, the attacker got access to all the victim’s files, the victim is still able to recover the files, but the attack is not yet finished.
4— From the attacker side, once the files are leaked, the Malicious folder access can be reverted to Private, and then all the rest of the people will lose access to the folder contents.
And then, all the files were leaked to the attacker…
This issue was reported immediately by me on the Apple Bug Bounty Program.
Triage Dates
25/01/2021 — OPENED
01/02/2021 — RE-TESTED (fixed)
02/02/2021 — Named at apple’s Hall of fame
16/02/2021 — 9000 USD Bounty award
In the end, it was treated as a critical bug and it was fixed in one week. I got a nice bounty for that, but more important than that, I had the chance to put into practice some months of learning and achieve personal goals from it.
Stay tuned for Chapter 2, it will be related to a backend flaw… bye…
